[opensuse] How do I use a Yubikey NEO?
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot. TIA Bob
Op donderdag 6 december 2018 22:52:43 CET schreef Bob Williams:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
TIA
Bob This usually means the the GRUB Bootloader was not installed properly on the laptop's SSD/HDD. Boot the laptop, remove the USB stick, and fire up YaST - System - Bootloader. Click OK, and that should regenerate a boot loader config and install on the internal disk.
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
W dniu 07.12.2018 o 01:00, Knurpht-openSUSE pisze:
Op donderdag 6 december 2018 22:52:43 CET schreef Bob Williams:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
TIA
Bob This usually means the the GRUB Bootloader was not installed properly on the laptop's SSD/HDD. Boot the laptop, remove the USB stick, and fire up YaST - System - Bootloader. Click OK, and that should regenerate a boot loader config and install on the internal disk.
You misunderstood. He wasn't asking for help because his laptop is not booting. Quite the contrary, he want's to have yubikey set up as a second factor required for booting. Back to the original question: I don't know about any such solution. There are some projects that enable protecting luks encrypted partitions with yubikey. But that would require having a separate unencrypted boot partition, or encrypted with a password that you can type in grub. Adam Mizerski
Op vrijdag 7 december 2018 09:04:21 CET schreef Adam Mizerski:
W dniu 07.12.2018 o 01:00, Knurpht-openSUSE pisze:
Op donderdag 6 december 2018 22:52:43 CET schreef Bob Williams:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
TIA
Bob
This usually means the the GRUB Bootloader was not installed properly on the laptop's SSD/HDD. Boot the laptop, remove the USB stick, and fire up YaST - System - Bootloader. Click OK, and that should regenerate a boot loader config and install on the internal disk.
You misunderstood. He wasn't asking for help because his laptop is not booting. Quite the contrary, he want's to have yubikey set up as a second factor required for booting.
Back to the original question: I don't know about any such solution. There are some projects that enable protecting luks encrypted partitions with yubikey. But that would require having a separate unencrypted boot partition, or encrypted with a password that you can type in grub.
Adam Mizerski You are 100% right, I misread completely.
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, December 06, 2018 22:52 CET, Bob Williams <usenet@karmasailing.uk> wrote:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
You will need to find a solution how GRUB can load the necessary code from an encrypted partition to access the Yubikey so it can use it to decrypt the partition in the first place. The reason for this is that GRUB can't add arbitrary amounts of code to the initial boot (i.e. the part which will mount the boot partition). After the boot partition is available, more code can be loaded. That's the reason why you get a US English keyboard with GRUB when using an encrypted boot partition. The first soltution is to use an unencrypted partition for GRUB itself. That means anyone with access to the laptop can see what OS and version is installed. In this case, only the system and data partitions are encrypted. The second solution is to use an encrypted boot partition which isn't protected by Yubikey. You will have to type in a password to be able to start GRUB. Afterwards, GRUB can load the Yubikey code and use that to mount the other partitions. As for "idiot's guide to set up Yubikey", then I'm looking for that as well. Anyone? Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 07 Dec 2018 09:51:45 +0100 "Aaron Digulla" <digulla@hepe.com> wrote:
On Thursday, December 06, 2018 22:52 CET, Bob Williams <usenet@karmasailing.uk> wrote:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
You will need to find a solution how GRUB can load the necessary code from an encrypted partition to access the Yubikey so it can use it to decrypt the partition in the first place.
The reason for this is that GRUB can't add arbitrary amounts of code to the initial boot (i.e. the part which will mount the boot partition). After the boot partition is available, more code can be loaded. That's the reason why you get a US English keyboard with GRUB when using an encrypted boot partition.
The first soltution is to use an unencrypted partition for GRUB itself. That means anyone with access to the laptop can see what OS and version is installed. In this case, only the system and data partitions are encrypted.
The second solution is to use an encrypted boot partition which isn't protected by Yubikey. You will have to type in a password to be able to start GRUB. Afterwards, GRUB can load the Yubikey code and use that to mount the other partitions.
As for "idiot's guide to set up Yubikey", then I'm looking for that as well. Anyone?
Regards,
Thanks to all who've replied. It's slightly reassuring to know that other's find this as obscure as me. -- Bob Williams System: Linux 4.19.2-1.g8adee6e-default Distro: Desktop: KDE Frameworks: 5.45.0, Qt: 5.9.4 and Plasma: 5.12.5
Re-sending, accidentally replied off-list. On 12/6/18 10:52 PM, Bob Williams wrote:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
There are multiple solutions for that, after a quick read about Yubikey on Archwiki this [1] entry describes what you want, I believe. The links mentioned there are somewhat Arch-specific, but they reference other sources of information which aren't, going as far as mentioning a LUKS whitepaper [2] and a full-fledged enterprise-like solution [3], so I believe you can figure it out eventually. Certainly not an idiot's guide (because none of them is comprehensive), but at the same time, you need to understand some basics to be able to troubleshoot the setup, if needed. I personally go with the classic encrypted /boot (so enter the passphrase twice), and then Yubico's PAM [4] to ensure that logging into the user account is not possible without a Yubikey. Although 2FA boot sounds interesting. Another area of investigation is an integration 2FA pre-boot, with the drives that support FDE [5] (and those new SSDs do). [1]: <https://wiki.archlinux.org/index.php/YubiKey#YubiKey_and_LUKS_encrypted_partition/disk> [2]: <http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf> [3]: <https://github.com/privacyidea/privacyidea> [4]: <https://developers.yubico.com/yubico-pam/> [5]: <https://www.yubico.com/wp-content/uploads/2012/10/YubiKey-Integration-for-Full-Disk-Encryption-with-Pre-Boot-Authentication-v1.2.pdf> -- Alex
On Sun, 9 Dec 2018 15:20:40 +0100 Oleksii Vilchanskyi <oleksii.vilchanskyi@gmail.com> wrote:
Re-sending, accidentally replied off-list.
On 12/6/18 10:52 PM, Bob Williams wrote:
Can anyone point me to an idiot's guide to using a Yubikey Neo? For example, I'd like to set it up so that my laptop won't boot unless the key is inserted in a USB slot.
There are multiple solutions for that, after a quick read about Yubikey on Archwiki this [1] entry describes what you want, I believe. The links mentioned there are somewhat Arch-specific, but they reference other sources of information which aren't, going as far as mentioning a LUKS whitepaper [2] and a full-fledged enterprise-like solution [3], so I believe you can figure it out eventually. Certainly not an idiot's guide (because none of them is comprehensive), but at the same time, you need to understand some basics to be able to troubleshoot the setup, if needed.
I personally go with the classic encrypted /boot (so enter the passphrase twice), and then Yubico's PAM [4] to ensure that logging into the user account is not possible without a Yubikey.
Although 2FA boot sounds interesting. Another area of investigation is an integration 2FA pre-boot, with the drives that support FDE [5] (and those new SSDs do).
[1]: <https://wiki.archlinux.org/index.php/YubiKey#YubiKey_and_LUKS_encrypted_partition/disk> [2]: <http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf> [3]: <https://github.com/privacyidea/privacyidea> [4]: <https://developers.yubico.com/yubico-pam/> [5]: <https://www.yubico.com/wp-content/uploads/2012/10/YubiKey-Integration-for-Full-Disk-Encryption-with-Pre-Boot-Authentication-v1.2.pdf>
Hey, thanks Alex. Lots of good material there. -- Bob Williams System: Linux 4.19.2-1.g8adee6e-default Distro: Desktop: KDE Frameworks: 5.45.0, Qt: 5.9.4 and Plasma: 5.12.5
participants (5)
-
Aaron Digulla -
Adam Mizerski -
Bob Williams -
Knurpht-openSUSE -
Oleksii Vilchanskyi